InfoSecurity Professional Magazine\'s September 2012 interview with Raj Goel

1. Q&A
EXPERTS ADDRESS TRENDING SECURITY TOPICS
Beyond Security Awareness
TALKING ABOUT SECURITY IS NOT ENOUGH. WE ALL NEED TO
ACT ON SECURITY PRACTICES.
RAJ GOEL, CISSP, is CTO of Take HIPAA for example: You are a
Brainlink International, Inc. and doctor. If your records go missing,
an IT and infosecurity expert who you are personally liable for that
develops security solutions for data loss. The customer records are
various industries. Senior Manag- lost, and the organization is held
ing Editor Joyce Chutchian spoke accountable for any breached data.
with Raj about the state of IT In the cloud, if your vendor
security. loses data, the vendor is not liable.
You are liable. I’m working with
Q: You’ve written and spoken a nonprofit, underprivileged health-
lot about social media threats and care organizations, and they want
risks. What are your biggest concerns? to be compliant. They don’t have the budget, so
First of all, there is the myth that cybercrime they are moving to Google Apps. Google says not
and financial fraud is a recent concept, when in to use Google Apps for HIPAA or PCI. Vendors
fact, the problems started in the 1934 to 1936 era, have been carefully insulating themselves from
when the IRS issued Social Security cards. Your any liability without telling the customer. There is
Social Security number became your de facto ID no lemon law for cloud computing. If Google loses
number, and it’s still used today, despite all the your data…oops! The liability is yours.
corruption and identity fraud.
I give a popular talk at conferences, on how Q: What can we do about this?
social media and the cloud are over-collecting We need to educate everyone aged 18 to 60.
worldwide, especially for the under-18 popula- This means educate ourselves, management, fami-
tion. Kids who were born in 1983 and beyond have lies, and other members of our society who help
grown up with computers. They do everything enforce the laws, design and pass them. Don’t just
online like SMSing and chatting. As teenagers, collect a paycheck. Be involved as citizens of our
they are not wired to think of 34-year-old threats. society and in politics. As security professionals,
We have built a surveillance engine; everything we are all citizens, and we are all consumers. It is
a 12-year-old says online will never be forgotten. our charter that we have to be in the front lines of
And what they say and what their friends do and protecting fellow citizens, whether it be attorneys,
say, whether it be on a game website, retail or Face- accountants, teachers, parents, medical profes-
book, will follow them and haunt them for the rest sionals, etc. Go talk to your local parent/teacher
of their lives. It’s all stored in the cloud, and they school groups. Talk to the Boy Scouts and Girl
don’t even know what the cloud really is. Scouts; local attorneys and bar associations.
I have spent more than fifteen years reading the
Q: What are your biggest concerns about the cloud law on security—and it’s not how you can configure
right now? a firewall, it’s how you can create a security policy.
From a technical perspective, there is no clear Encrypt your laptop. Don’t be lazy. It’s not enough
definition of what the cloud is. Some people are to be educated—you need to enforce awareness. Just
relabeling it as private hosting, and private data cen- because a security question asks you for your moth-
ters are relabeling it as the cloud. From a legal per- er’s maiden name, doesn’t mean you have to use
spective—under current U.S. federal law—what the her real name. Change your passwords frequently.
cloud gives you technically, it takes from you legally. Don’t just talk about security, act on it.
ISSUE NUMBER 19 INFOSECURITY PROFESSIONAL 21